Hey Mario, I think whether or not its a security issue depends on the permissions and the contents and capability of the application being debugged; the way I understand this is that being able to debug an app means you are allowed to execute code in the context of the application i.e. with the PID and GIDs of the target application; this means you and your unauthenticated code automatically has all the privileges of the vulnerable app.
*It also means you can skew the results of forensic audits on the device, by blaming on piece of software for doing something it never had the capability to or was intended to do, this then threatens reputational and possibly legal action against a developer or company responsible for the debuggable app.* For instance if you have something like: 1. INTERNET 2. READ_PHONE STATE 3. SEND_SMS 4. WRITE_EXTERNAL_STORAGE 5. RECEIVE_SMS 6. READ_SMS 7. ACCESS_COARSE_LOCATION 8. READ_CONTACTS 9. ACCESS_FINE_LOCATION 10. WRITE_SMS permissions, executing code inside an app with these permissions would be a likely attack vector for any adversary that would like to read sms's, exfiltrate data from the app or the phone, send SMS without needing any form of authentication or leak the victims contacts list I could go on. *Also on the actual fix for the code, it requires that you either have ROOT or ADB_SHELL permission, the key here being the ADB_SHELL permission which is a considerably lower privilege---2000 or something---when compared to root, and basically anyone with physical access to the device has this permission.* I still consider this a pretty serious security vulnerability but only depending on how much data and what kind of data the developers or users expose because of it, and sure the complexity of these attack vectors may be high because of the need to physically access the device---I mean how hard is to snatch someones phone?---though it does present a significant risk. On Thursday, August 29, 2013 1:10:11 PM UTC+2, Keith Makan wrote: > > > I'm largely familiar with risk around publishing a de-buggable app to the > market, > it basically breaks down to an attacker being able to perform remote code > execution > and leak the values of private and internal fields from the object > instances and static fields. > > *My questions is,* does anyone know to exploit a debuggable app to > uncontrolled achieve code exec? > > Regards > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to android-security-discuss+unsubscr...@googlegroups.com. To post to this group, send email to android-security-discuss@googlegroups.com. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/groups/opt_out.
